Cloud-Native Security: Reduce Risk in the Enterprise

Security threats to enterprise systems and data have never been greater. Yet traditional approaches, including those employed by public cloud providers are simply more of the same—reactive tactics that treat the symptoms of an attack, rather than warding off the root cause. The surging popularity of cloud-native applications has challenged conventional wisdom in every conceivable way. Up and down the stack—from infrastructure to application development--there is a sharp contrast between legacy methods and a more modern, cloud-native approach, with most reaching a consensus on the patterns and practices that tend to be successful: a DevOps culture, continuous delivery, and a microservices architecture. Why haven’t we reimagined security for the cloud-native era? Where are the bold new ideas? That’s the innovation behind cloud-native security: a transformative way to reduce risk in the enterprise.

What is cloud-native enterprise security?

Effective enterprise security is cloud-native security. There are three principles of cloud-native security:

Repair

Repair vulnerable software as soon as updates are available.

Repave

Repave servers and applications from a known good state. Do this often.

Rotate

Rotate user credentials frequently, so they are only useful for short periods of time.

These are known as the 3 "R's" of security: repair, repave, and rotate.

This new approach to security is sorely needed. To understand why today’s security tradition is broken, just look at the somewhat frightening reality presented in the recent Symantec Internet Threat Report. Here are a few alarming statistics:

&FilledSmallSquare;

A new zero-day vulnerability is discovered each week

&FilledSmallSquare;

Half a billion personal records were stolen or lost

&FilledSmallSquare;

Vulnerabilities were found in three quarters of websites

&FilledSmallSquare;

Spear-phishing campaigns targeting employees increased 55 percent

&FilledSmallSquare;

Ransomware increased 35 percent

Although the volume of threats is growing at an exponential rate, with attacks moving faster and faster, the types of threats that wreak havoc in a data center are relatively simple:

&FilledSmallSquare;

Malware

This is a catch-all term for viruses, trojan horses, worms, spyware, and other programs that have malicious intent.

&FilledSmallSquare;

Advanced persistent threats

These are breaches where an attacker gains access to a network and stays there undetected for a long period of time. The longer the threat stays undetected, the more data that’s at risk.

&FilledSmallSquare;

Leaked credentials

Credentials control access to information or other resources. No matter how hard an organization tries to lock-down employee credentials to critical systems, they always seem to get out into the wild.

Why cloud-native enterprise security matters

&FilledSmallSquare;

Data center security is broken

The security tradition in the enterprise today screams slow down. The answer to any request is almost always “no.” Change is resisted at every level because any change is the sign of a potential threat. Contrast this approach to application development and operations. These groups are now working together in new ways (broadly dubbed “DevOps”) to deliver new code faster. Constant, more sophisticated, and ever-evolving threats require security teams to also rethink their approach in the cloud-native era.

&FilledSmallSquare;

Threats are evolving faster than ever

Malware and advanced persistent threats are proliferating. Malicious programs can be created and deployed for next to nothing. Hundreds of new threats attempt to penetrate enterprise systems every day. Traditional security measures can’t evolve nearly as quickly. A cloud-native approach offers both external perimeter and internal systems protection.

&FilledSmallSquare;

Mitigating credential leakage is possible

The fact is credentials will always be leaked, but systems administrators don’t have to sit idle and let it happen. They can change the lifespan for credentials from the weeks or months that give hackers plenty of time to find vulnerabilities to hours or just 15 minutes. A cloud-native security approach helps ensure leaked credentials quickly become worthless.

Enterprises need to conduct a realistic assessment of the security challenges they face and understand why today’s approaches to security are falling short:

&FilledSmallSquare;

Are systems at risk due to the patching we are intentionally not doing?

Vendors continuously release patches and that’s awesome! However, the practical reality is that a typical enterprise has procured thousands of servers over several years. Each one is loaded with different software packages. The effort to patch these systems regularly (let alone quickly) is mind-boggling. So what happens? System administrators are pragmatic. They triage. The truth is that systems go knowingly unpatched. That’s a broken process.

&FilledSmallSquare;

Are organizations, processes, and tooling designed to react to threats, rather than prevent them?

By the time you’ve detected an attack, it’s too late. Further, finding a finding a breach is only the beginning; you still have to fix it.

&FilledSmallSquare;

Are your security vendors only offering incremental improvements?

Big vendors of the cloud-native era certainly look different than the dominant providers from a decade ago, but where are the revolutionary vendors in the security area? Enterprise buyers and security vendors are still having the same conversations about the same products that they did in the dot-com era. Now, products might be delivered “as a service,” added into an on-premises private cloud, or served up as a virtual appliance in a public cloud. These are hardly earth-shattering advancements in enterprise IT compared to infrastructure as a service, Agile development, or microservices.

&FilledSmallSquare;

Are you prevented from updating production systems frequently?

Going to production with new software takes months. It’s a painful, arduous journey, and once new bits are online, no one wants to change anything. Why? Because it might break, and that would be bad. Here’s what’s worse: a static environment is fertile ground for attacks. The way production systems are managed today couldn’t be more inviting to attackers—and unfortunately, cyber criminals know it.

All of these points are symptoms of a larger issue—a mindset that believes “going slower reduces risk.” In fact, the opposite is true. The faster systems change, the harder they are to penetrate. That’s the core idea of cloud-native security.

Automated. Threat mitigation occurs when systems can be quickly updated. Automation and the adoption of immutable infrastructure help to eliminate systems with unique (and therefore problematic) security configurations.

Monitored and instrumented. Because organizations believe that a system change is the sign of malware, massive investments are made to detect data center changes.

Proactive. Malware thrives on vulnerable software and static, unchanging systems. The priority is to aggressively change the state of systems, eliminating the conditions malware needs to survive.

Reactive. Detecting threats quickly is the priority. Steps to mitigate the threat are then taken once a vulnerability has been identified.

Patched via clean-slate redeployment. Patches are applied as soon as they become available. New “golden” images with the latest bits are applied across the data center using automation and immutable infrastructure concepts.

Patched incrementally. Patches are applied incrementally to systems, as each one is approved by internal teams. Patches for operating systems and middleware are triaged then applied.

Promoting change. Organizations believe the faster systems change, the harder it is for malware to thrive.

Resisting change. Organizations believe the slower the pace of change, the safer the enterprise will be.

What to keep in mind if you're addressing threats

The notion of going faster to make your enterprise more secure may be new, but it’s proven. Some of the world’s largest companies, from banks and retailers to telecom providers and automotive manufacturers, today rely on cloud-native security that includes several borrowed concepts from cloud-native development and operations.

When you consider these three types of threats and their root causes, there is a practical 3 Rs approach to fighting them:

Threat

Root Cause

Cloud-Native Mitigation Approach

Malware

Feeds on misconfigured and/or unpatched software. It often takes months to deploy patches to operating systems and application stacks, even in a virtualized world. It’s not uncommon for an enterprise to leave a server vulnerable for six months or more.

Repair vulnerable software as soon as updates are available.

Advanced persistent threats (APTs)

Requires time to thrive inside a network. APTs thrive in environments that change incrementally. Systems are hardly ever restored to a last-known good state.

Repave servers and applications from a known good state to reduce the amount of time an attack can occur.

Leaked credentials

Credentials seldom rotate. So, if an attacker can find some, they are likely to remain valid and useful for a long time.

Rotate the credentials frequently so they are only useful for short periods of time.

Cloud-native security and Pivotal

Here’s how Pivotal helps organizations embrace the 3 Rs model:

With Pivotal Operations Manager, enterprises can repave every virtual machine (VM) in their data center from a known good state every few hours without application downtime. They can deploy applications from a continuous integration tool such as Concourse, and application containers will also be repaved every few hours.

Organizations can repair vulnerable operating systems (OSs) and application stacks consistently within hours of patch availability. This is a twist on operations’ traditional use of the golden image. Pivotal refers to this as a “stemcell,” and we update the stemcell with the latest OS patches for Pivotal Platform customers. Administrators then can roll out the new image to their environments. For application stacks, Pivotal uses buildpacks to ensure the latest use of run-times and frameworks.

Enterprises should be able to easily rotate system credentials every few minutes or hours, a daunting task for today’s enterprises because modern systems can contain dozens of individual credentials. Today Pivotal customers can use identity management systems with multi-factor authentication to help safeguard systems as we work on automated credential management.

PCI compliance can improve with Pivotal Platform. Specifically using the optional IPsec add-on module, teams add security to the network layer of the OSI model with a strongSwan implementation of IPsec. The IPsec add-on provides a strongSwan job to each BOSH-deployed VM. IPsec encrypts IP data flow between hosts, between security gateways, and between security gateways and hosts. The IPsec add-on module secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches a firewall, further meeting PCI regulations.

&FilledSmallSquare;

Single Sign-On (SSO) is an all-in-one solution for securing access to applications and APIs on Pivotal Platform. The SSO service provides support for native authentication, federated SSO, and authorization. Operators can configure native authentication and federated SSO, for example SAML, to verify the identities of application users. After authentication, the SSO service uses OAuth 2.0 to secure resources or APIs.

A large investment bank routinely eliminates CVEs from their environment with regular stemcell updates from Pivotal.

&FilledSmallSquare;

All Pivotal Web Services customers launch applications using run-time buildpacks that are patched and rigorously tested by Pivotal. The two most recent versions are available, to help prevent the use of older (and more vulnerable) versions.

&FilledSmallSquare;

An automotive manufacturer used Pivotal Platform’s roles and permissions to segment access across dozens of teams and hundreds of microservices.